feat(feature-ideation): add curated reputable source list for Mary#102
Merged
feat(feature-ideation): add curated reputable source list for Mary#102
Conversation
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 34 minutes and 9 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughAdds a repo-local configurable reputable source list input, a last_successful_run feed checkpoint propagated through schema, scripts, and tests, and updates Phase 2 prompt and workflow permissions to prefer that sources file and constrain research to items newer than the checkpoint. Changes
Sequence Diagram(s)sequenceDiagram
actor Runner as GitHub Actions Runner
participant Caller as Repo workflow caller
participant Reusable as Reusable workflow
participant GH as gh CLI
participant Script as collect-signals.sh
participant Composer as compose-signals.sh
participant Sources as Repo-local sources file
participant Output as signals.json / Step Summary
Runner->>Caller: trigger workflow
Caller->>Reusable: invoke reusable workflow (with sources_file)
Reusable->>GH: gh run list --workflow=feature-ideation.yml --status=success --limit=1
GH-->>Script: return last successful run timestamp
Reusable->>Sources: read configured `sources_file` (if present)
Script->>Composer: call compose_signals(..., last_successful_run, ...)
Reusable->>Reusable: Phase 2 prompt seeds searches from sources_file and filters items > last_successful_run
Composer-->>Output: emit `signals.json` (includes last_successful_run)
Reusable-->>Output: print step summary including checkpoint and omissions
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds an org-curated “reputable sources” list for the Feature Ideation (BMAD Analyst “Mary”) pipeline and wires it into the reusable workflow so Phase 2 market research starts from a consistent set of trusted primary sources.
Changes:
- Introduces
standards/feature-ideation-sources.mdwith categorized sources (sites/feeds/podcasts/YouTube/conferences) and per-entry justification. - Updates
.github/workflows/feature-ideation-reusable.ymlto checkout central standards into.petry-standards/and adjust the Phase 2 prompt + step-summary template accordingly. - Documents the new source-list component in
standards/ci-standards.md(Feature Ideation section).
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
standards/feature-ideation-sources.md |
New curated list Mary is instructed to read first during Phase 2 market research. |
standards/ci-standards.md |
Documents the source list as a formal component of the Feature Ideation system. |
.github/workflows/feature-ideation-reusable.yml |
Checks out central standards and updates the Phase 2 prompt + step summary to incorporate the list. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/feature-ideation-reusable.yml:
- Around line 223-229: The checkout step named "Checkout central standards
(reputable source list)" must not hard-fail the job; change the actions/checkout
step (uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd) to be
non-blocking by adding continue-on-error: true to that step and emit a clear
warning if it failed (e.g., a follow-up run: echo "Central standards checkout
failed, proceeding with fallback" when the step result is failure) so the
workflow can continue to the documented fallback (open web search).
In `@standards/feature-ideation-sources.md`:
- Around line 60-62: The RSS feed URLs for the arXiv entries "arXiv cs.AI",
"arXiv cs.CL", and "arXiv cs.LG" use http and must be updated to use HTTPS to
ensure transport integrity; locate the three table rows containing the
export.arxiv.org/rss links and replace the "http://" prefix with "https://" for
each feed URL so the automated evidence-gathering uses encrypted feeds.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 5d67ce26-20b5-4f93-9d7e-41860be725e0
📒 Files selected for processing (3)
.github/workflows/feature-ideation-reusable.ymlstandards/ci-standards.mdstandards/feature-ideation-sources.md
Contributor
Author
Review — fix requested (cycle 1/3)The automated review identified the following issues. Please address each one: Findings to fix
Additional tasks
The review cascade will automatically re-review after new commits are pushed. |
don-petry
commented
Apr 16, 2026
Contributor
Author
don-petry
left a comment
don-petry
left a comment
There was a problem hiding this comment.
Automated review — NEEDS HUMAN REVIEW
Risk: MEDIUM
Reviewed commit: 4147369e9fa8ca4c5dafdeed9b74eb41d961dc82
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)
Summary
The two blocking findings from cycle 1 (central-checkout fail-safety and arXiv http:// URLs) have been correctly resolved by dropping the central checkout entirely and switching to a per-repo model. However, the PR cannot merge (CONFLICTING state), CodeQL is still in progress, and the prior CHANGES_REQUESTED review has not been dismissed. One new minor issue: the Phase 8 step-summary template still references the now-removed .petry-standards/ path — it should use {{ inputs.sources_file }} instead.
Findings
Major
- [major]
gate-failure— PR is in CONFLICTING merge state and cannot be merged until rebase/merge conflicts are resolved.
Minor
- [minor]
.github/workflows/feature-ideation-reusable.yml:741— Phase 8 step-summary template tells Mary "if a high-value source kept coming up but is NOT listed in .petry-standards/standards/feature-ideation-sources.md" — but.petry-standards/is no longer checked out (the central checkout was removed in this PR). The reference should be updated to${{ inputs.sources_file }}or the repo-local path so the instruction is accurate. - [minor]
standards/workflows/feature-ideation.yml:84— Caller stub template calls the reusable workflow at@v1— a mutable tag. The prior review flagged this; it remains unaddressed. Impact is low since the content is documentation/markdown consumed as AI context rather than executed code, but it is inconsistent with how other Actions in this workflow are pinned to commit SHAs.
Info
- [info]
ci-pending— CodeQL "Analyze (actions)" check was still IN_PROGRESS at review time; CI is not fully green. - [info]
prior-review-open— CodeRabbit's CHANGES_REQUESTED review (from commit 2732d4b) has not been dismissed. GitHub may block merge depending on branch protection rules. - [info]
correctness—.github/workflows/feature-ideation-reusable.yml:88—actions: readpermission added to gather-signals job is correctly scoped forgh run list. The last_successful_run ISO-8601 value is passed to jq via --arg (no injection risk) and used only as prompt context. The macOS/Linux date fallback is correct defensive coding for non-Ubuntu runners.
CI status
CodeQL "Analyze (actions)" was IN_PROGRESS at review time. PR merge state is DIRTY (conflicts present).
Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.
Contributor
Author
Review — fix requested (cycle 2/3)The automated review identified the following issues. Please address each one: Findings to fix
Additional tasks
The review cascade will automatically re-review after new commits are pushed. |
…st successful run Source list (addresses all Copilot/CodeRabbit/don-petry review threads): - Add standards/feature-ideation-sources.md as a starter template; each adopting repo copies it to .github/feature-ideation-sources.md and owns it independently (no cross-repo checkout). - Add sources_file input to the reusable workflow (default: .github/feature-ideation-sources.md). Phase 2 prompt reads the repo- local file; falls back to open web search if absent. - Fix three arXiv RSS feed URLs from http:// to https://. - Update propagation wording in ci-standards.md to reflect per-repo ownership and v1 tag model. - Pin caller stub reusable ref from mutable @v1 to commit SHA ae9709f # v1. - Add actions: read to gather-signals permissions and caller stub template (required for gh run list in same repo). Feed checkpoint (new — avoids re-reviewing same content every week): - collect-signals.sh: query gh run list --status=success --limit=1 to resolve the previous successful run timestamp; fall back to 30 days ago on first run or after a long outage. - compose-signals.sh: add last_successful_run as arg 10 (schema_version shifts to arg 11, truncation_warnings to arg 12). - signals.schema.json: add last_successful_run field; bump schema version 1.0.0 → 1.1.0 (SCHEMA_VERSION constant updated in lockstep per bats test). - Test fixtures (populated, empty-repo, truncated): add last_successful_run and bump schema_version to 1.1.0. - Phase 2 prompt: instruct Mary to filter feed entries to those published after last_successful_run; bypass checkpoint if >60 days old. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
don-petry
force-pushed
the
feat/feature-ideation-sources-list
branch
from
4147369 to
76d1f75
Compare
don-petry
dismissed
coderabbitai[bot]’s stale review
All findings addressed: arXiv HTTPS fixed, central-repo checkout replaced with per-repo sources_file input, continue-on-error moot (checkout removed), propagation wording updated, caller stub SHA-pinned. Feed checkpoint (last_successful_run) added to signals.json contract.
…un fallback
The gh stub used in bats tests returns raw fixture JSON without applying
--jq filters, so the captured last_successful_run value was a JSON array
instead of an ISO-8601 timestamp. Add a grep -qE '^[0-9]{4}-...' guard
that falls back to the 30-day default whenever the output is not a valid
date-time string, keeping all existing bats tests green without requiring
every test script to stub the new gh run list call.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The feed-checkpoint `gh run list` call added in the previous commit is now the *first* gh invocation, so every manually-built stub script in collect-signals.bats needs a corresponding first entry. - Prepend run-list-last-success.txt to all 5 manual script builders (auth-failure, graphql-errors, bot-only-truncation, discussions-truncated, no-ideas-category) - Fix date fallback format: append T00:00:00Z to date_days_ago output so the JSON Schema format:date-time constraint is satisfied Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
don-petry
commented
Apr 16, 2026
Contributor
Author
don-petry
left a comment
don-petry
left a comment
There was a problem hiding this comment.
Automated review — NEEDS HUMAN REVIEW
Risk: MEDIUM
Reviewed commit: 0425a174a1e9f8c4b76b4a74477d13f3ce843f11
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)
Summary
CI is broken: compose-signals.bats tests 19–23 all fail because the test file was not updated when compose-signals.sh arity changed from 11 to 12 args. The branch is also behind main. No security concerns — the new last_successful_run field is safely handled via ISO-8601 validation and jq --arg.
Findings
Major
- [major]
test/workflows/feature-ideation/compose-signals.bats— compose-signals.bats tests 19–23 fail with '[compose-signals] expected 12 args, got 11'. The compose-signals.sh function signature was bumped to 12 positional args (inserting last_successful_run at position 10) but the unit tests in test/workflows/feature-ideation/compose-signals.bats still call it with 11 args. All compose unit tests are broken. Fix: update each compose_signals call in compose-signals.bats to pass a dummy ISO-8601 last_successful_run arg (e.g. '2026-03-01T00:00:00Z') in the 10th position and shift schema_version to 11th and truncation_warnings to 12th.
Minor
- [minor] Branch is BEHIND main (mergeStateStatus: BEHIND). Rebase or merge main into the branch before merging.
- [minor]
.github/workflows/feature-ideation-reusable.yml:741— Phase 8 step-summary template still references '.petry-standards/standards/feature-ideation-sources.md'. The cross-repo checkout was removed in this PR, making that path unreachable on the runner. The reference should be updated to use '${{ inputs.sources_file }}' or the repo-local path. This was flagged in cycle 2 and does not appear to be addressed in the current diff.
Info
- [info]
collect-signals.sh— last_successful_run ISO-8601 validation guard (grep -qE '^[0-9]{4}-[0-9]{2}-[0-9]{2}T') is a reasonable defence against the test-stub format mismatch. The T00:00:00Z suffix appended to the date_days_ago fallback correctly satisfies the JSON Schema format:date-time constraint. - [info] jq receives last_successful_run via --arg (not string interpolation), eliminating any injection risk. The actions: read permission is correctly scoped to the gather-signals job for gh run list use.
- [info]
standards/workflows/feature-ideation.yml— Caller stub now pins reusable workflow ref to commit SHA ae9709f # v1 — the mutable-tag finding from cycles 1 and 2 is resolved.
CI status
CI is failing. compose-signals.bats tests 19–23 fail due to arity mismatch (11 args passed, 12 expected after the last_successful_run parameter was added). Branch is also behind main.
Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.
Contributor
Author
Review — fix requested (cycle 3/3)The automated review identified the following issues. Please address each one: Findings to fix
Additional tasks
The review cascade will automatically re-review after new commits are pushed. |
All compose_signals invocations now pass last_successful_run as the new arg 10, shifting schema_version to 11 and truncation_warnings to 12. Also adds last_successful_run to the required-fields assertion in the empty-inputs test. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 3
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
.github/scripts/feature-ideation/lib/compose-signals.sh (1)
50-58: 🧹 Nitpick | 🔵 TrivialMinor:
arg #%din the validation error message no longer matches positional indices.The validation loop iterates the 8 JSON inputs (open_issues … bug_reports, truncation_warnings) and increments
idxfrom 1. With the new signature,truncation_warningsis positional arg$12but a failure there will reportarg#8``. This was already misleading before the signature change, but it is more confusing now that non-JSON args (repo, `scan_date`, `last_successful_run`, `schema_version`) are interleaved. Consider mapping `idx` to the documented positional number (e.g. label by name) to aid debugging.♻️ Proposed tweak
- local idx=0 - for input in "$open_issues" "$closed_issues" "$ideas_discussions" "$releases" \ - "$merged_prs" "$feature_requests" "$bug_reports" "$truncation_warnings"; do - idx=$((idx + 1)) - if ! printf '%s' "$input" | jq -e . >/dev/null 2>&1; then - printf '[compose-signals] arg #%d is not valid JSON: %s\n' "$idx" "${input:0:120}" >&2 + local name + for pair in "open_issues:$open_issues" "closed_issues:$closed_issues" \ + "ideas_discussions:$ideas_discussions" "releases:$releases" \ + "merged_prs:$merged_prs" "feature_requests:$feature_requests" \ + "bug_reports:$bug_reports" "truncation_warnings:$truncation_warnings"; do + name="${pair%%:*}" + input="${pair#*:}" + if ! printf '%s' "$input" | jq -e . >/dev/null 2>&1; then + printf '[compose-signals] %s is not valid JSON: %s\n' "$name" "${input:0:120}" >&2 return 65 # EX_DATAERR fi done🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/scripts/feature-ideation/lib/compose-signals.sh around lines 50 - 58, The error message reports a misleading "arg #%d" because the loop uses a simple idx over the eight JSON variables (open_issues, closed_issues, ideas_discussions, releases, merged_prs, feature_requests, bug_reports, truncation_warnings) while other positional args exist; fix it by mapping each iterated variable to its documented positional label or actual positional number before printing: create a parallel array of names or positional indices (e.g. names=("open_issues" "closed_issues" ...)) and when a validation fails use that name (or compute the real positional index) in the printf instead of idx; update the printf call that references idx and "${input:0:120}" to use the mapped name/position so the error shows the correct argument identifier.test/workflows/feature-ideation/compose-signals.bats (1)
94-103: 🧹 Nitpick | 🔵 TrivialConsider asserting
last_successful_runround-trips verbatim.
scan_dateandrepoare checked for exact round-trip, but the newlast_successful_runargument is passed in several tests yet never asserted on the output. Since this value drives the Phase 2 feed-checkpoint behavior, a one-line assertion would catch any future refactor that silently drops or reformats it.Proposed addition
`@test` "compose: scan_date and repo round-trip exactly" { run compose_signals \ '[]' '[]' '[]' '[]' '[]' '[]' '[]' \ 'octocat/hello-world' '2030-01-15T12:34:56Z' '2029-12-15T12:34:56Z' '1.0.0' '[]' [ "$status" -eq 0 ] d=$(printf '%s' "$output" | jq -r '.scan_date') r=$(printf '%s' "$output" | jq -r '.repo') + l=$(printf '%s' "$output" | jq -r '.last_successful_run') [ "$d" = "2030-01-15T12:34:56Z" ] [ "$r" = "octocat/hello-world" ] + [ "$l" = "2029-12-15T12:34:56Z" ] }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@test/workflows/feature-ideation/compose-signals.bats` around lines 94 - 103, The test "compose: scan_date and repo round-trip exactly" calls compose_signals with a last_successful_run value but never asserts it; add a one-line assertion that extracts '.last_successful_run' from the command output (e.g., l=$(printf '%s' "$output" | jq -r '.last_successful_run')) and assert [ "$l" = "2029-12-15T12:34:56Z" ] so compose_signals (and the output JSON) round-trips last_successful_run verbatim.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/scripts/feature-ideation/collect-signals.sh:
- Around line 81-88: The code hardcodes the workflow filename in the gh run list
call (the variable last_successful_run using --workflow="feature-ideation.yml"),
which causes silent fallback to 30 days if a repo renames the workflow; change
the script to accept a workflow filename via an env var (e.g. use WORKFLOW_FILE
or GITHUB_WORKFLOW_REF) and use that when calling gh run list instead of the
hardcoded string, and add a clear stderr warning (printf ... >&2) when the gh
query returns empty and you’re about to use the 30-day fallback so
misconfiguration vs first-run is distinguishable; also add an inline comment
documenting the new WORKFLOW_FILE env convention so callers know to set it.
- Around line 93-100: The current fallback masks failures when obtaining
last_successful_run; capture the command's stderr instead of discarding it so
you can distinguish a genuine missing checkpoint from an auth/network error.
Change the logic that sets last_successful_run (the command that currently has
2>/dev/null || true) to capture both stdout (into last_successful_run) and
stderr (into, e.g., last_successful_run_err), then keep the existing regex check
on last_successful_run; if the value is unusable and last_successful_run_err is
non-empty, write a clear diagnostic to stderr (including
last_successful_run_err) before falling back to date_days_ago and setting the
30-day checkpoint, so operators can see permission/token/network failures while
preserving the existing fallback behavior.
In `@standards/workflows/feature-ideation.yml`:
- Around line 101-106: Update the commented guidance for the default
"sources_file" entry so it accurately tells users to both uncomment and edit if
they want a different path—specifically change the current line that reads
"override only if you store the file elsewhere" to something like "uncomment and
change the path only if you store the file elsewhere" next to the commented
"sources_file: '.github/feature-ideation-sources.md'" so intent is clear when
modifying the sources_file default.
---
Outside diff comments:
In @.github/scripts/feature-ideation/lib/compose-signals.sh:
- Around line 50-58: The error message reports a misleading "arg #%d" because
the loop uses a simple idx over the eight JSON variables (open_issues,
closed_issues, ideas_discussions, releases, merged_prs, feature_requests,
bug_reports, truncation_warnings) while other positional args exist; fix it by
mapping each iterated variable to its documented positional label or actual
positional number before printing: create a parallel array of names or
positional indices (e.g. names=("open_issues" "closed_issues" ...)) and when a
validation fails use that name (or compute the real positional index) in the
printf instead of idx; update the printf call that references idx and
"${input:0:120}" to use the mapped name/position so the error shows the correct
argument identifier.
In `@test/workflows/feature-ideation/compose-signals.bats`:
- Around line 94-103: The test "compose: scan_date and repo round-trip exactly"
calls compose_signals with a last_successful_run value but never asserts it; add
a one-line assertion that extracts '.last_successful_run' from the command
output (e.g., l=$(printf '%s' "$output" | jq -r '.last_successful_run')) and
assert [ "$l" = "2029-12-15T12:34:56Z" ] so compose_signals (and the output
JSON) round-trips last_successful_run verbatim.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: d8d97574-2df8-42f4-9968-0794cf0bab98
📒 Files selected for processing (13)
.github/schemas/signals.schema.json.github/scripts/feature-ideation/collect-signals.sh.github/scripts/feature-ideation/lib/compose-signals.sh.github/workflows/feature-ideation-reusable.ymlstandards/ci-standards.mdstandards/feature-ideation-sources.mdstandards/workflows/feature-ideation.ymltest/workflows/feature-ideation/collect-signals.batstest/workflows/feature-ideation/compose-signals.batstest/workflows/feature-ideation/fixtures/expected/empty-repo.signals.jsontest/workflows/feature-ideation/fixtures/expected/populated.signals.jsontest/workflows/feature-ideation/fixtures/expected/truncated.signals.jsontest/workflows/feature-ideation/fixtures/gh-responses/run-list-last-success.txt
- collect-signals.sh: use WORKFLOW_FILE env var (default: feature-ideation.yml) so repos that rename their caller stub can override without a code change; capture gh run list stderr in a temp file and log it when the fallback is triggered so auth/network failures are distinguishable from first-run - feature-ideation-reusable.yml: clarify propagation comment — changes reach @v1 stubs only after the v1 tag is bumped, not on every next run - ci-standards.md: align Tier-1 table wording with the @v1 tag-bump model - standards/workflows/feature-ideation.yml: reword sources_file comment to make clear users must uncomment AND change the path for non-default locations; show a non-default example path to reduce ambiguity Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
don-petry
dismissed
coderabbitai[bot]’s stale review
All findings addressed: hardcoded workflow filename replaced with ${WORKFLOW_FILE:-feature-ideation.yml}, stderr capture added for diagnostics, propagation wording corrected across workflow/standards files, sources_file comment clarified.
don-petry
commented
Apr 17, 2026
Contributor
Author
don-petry
left a comment
don-petry
left a comment
There was a problem hiding this comment.
Automated review — NEEDS HUMAN REVIEW
Risk: MEDIUM
Reviewed commit: bc8e529ea0f7a9a081d5b3bf829af9e5c8045b0a
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)
Summary
CI is failing: the SonarCloud Code Analysis external check reports FAILURE on the current HEAD (bc8e529). All GitHub Actions checks pass (bats, ShellCheck, CodeQL, AgentShield all green), meaning the compose-signals arity fix and prior issues are resolved — but the SonarCloud quality gate is a blocking failure. Branch is also BEHIND main and must be rebased before merge.
Findings
Major
- [major] — SonarCloud Code Analysis external check is FAILURE on HEAD
bc8e529ea0f7a9a081d5b3bf829af9e5c8045b0a. This is a required CI gate. All GitHub Actions checks (bats, ShellCheck, CodeQL, AgentShield, Lint) pass — only the external SonarCloud Code Analysis check fails. PR cannot be approved until this is resolved.
Minor
- [minor] — Branch is BEHIND main (
mergeStateStatus: BEHIND). Author must rebase or merge main before the PR can cleanly land. - [minor]
.github/workflows/feature-ideation.yml:49— New file calls the reusable workflow at the mutable branch ref@feat/feature-ideation-sources-list. After this branch is merged and deleted, the ref will be invalid. Should be updated to@mainor a commit SHA before merging. (Impact is low — workflow isworkflow_dispatch-only withdry_run: truehardcoded.)
Info
- [info]
.github/scripts/feature-ideation/collect-signals.sh:83—last_successful_runvalue is passed tojqvia--arg(not string interpolation) and used only as prompt context — no injection risk. TheWORKFLOW_FILEenv var is set by the workflow, not by untrusted user input. - [info]
.github/workflows/feature-ideation-reusable.yml:109—actions: readpermission added togather-signalsjob is correctly minimal and scoped for thegh run listcall. No privilege escalation risk. - [info] — Prior cycle-2 issue (compose-signals.bats arity mismatch) is resolved — Feature Ideation Tests (bats) CI check shows SUCCESS. Prior arXiv
http://URL concern resolved — current diff useshttps://export.arxiv.orgRSS URLs. - [info]
.github/scripts/feature-ideation/collect-signals.sh:100— ISO-8601 validation guard and 30-day fallback are correct. TheT00:00:00Zsuffix appended todate_days_agofallback satisfies the JSON Schemaformat:date-timeconstraint.
CI status
- SonarCloud Code Analysis: FAILURE (blocking external check)
- bats, ShellCheck, CodeQL, AgentShield, Lint: PASS
Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/feature-ideation-reusable.yml:
- Around line 311-336: The prompt currently interpolates the literal snippet
"Read: ${{ inputs.sources_file }}" and will render a confusing empty "Read: "
when inputs.sources_file == ''. Update the prompt generation to branch on
inputs.sources_file: if non-empty, emit the existing "Read: ${{
inputs.sources_file }}" line; if empty or missing, emit a clear alternative
(e.g., "No repo-local source list provided; proceed with open web search and log
a warning in the step summary") so Mary doesn't receive a bare Read: instruction
and the step summary records the missing file.
In @.github/workflows/feature-ideation.yml:
- Around line 32-40: Add a human-readable display name for the GitHub Actions
job with id "ideate" by adding a top-level name: key under the ideate job (e.g.,
name: "Ideate" or similar) so the workflow uses that label instead of the job
id; update both the workflow here and the companion stub to keep them
consistent.
- Around line 1-60: This workflow is a temporary feature-branch self-test pinned
to a specific SHA (bc8e529ea0f7a9a081d5b3bf829af9e5c8045b0a) which will become
stale if merged; either remove this test file before merging or convert it to a
permanent self-test by updating the uses: reference and the tooling_ref input
from the SHA to `@main` and adding a clear comment that the workflow "Feature
Research & Ideation — .github self-test" is intentionally permanent (and keep
dry_run as appropriate) so the pinned SHA is not left orphaned.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 5abc1b3f-f90d-434f-b187-1e61ba8fdc10
📒 Files selected for processing (5)
.github/scripts/feature-ideation/collect-signals.sh.github/workflows/feature-ideation-reusable.yml.github/workflows/feature-ideation.ymlstandards/ci-standards.mdstandards/workflows/feature-ideation.yml
If a caller passes sources_file: '' the prompt previously rendered a bare 'Read: ' instruction. Now uses a GitHub Actions expression to branch: non-empty value emits the Read instruction; empty/omitted emits a clear fallback note directing Mary to open web search and log a warning in the step summary. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
don-petry
dismissed
coderabbitai[bot]’s stale review
All findings addressed: empty sources_file guard added to Phase 2 prompt; temporary test stub deleted from branch (not merging to main); job name nitpick moot with stub deletion.
…ngth The format() expression was 241 chars, over the 200-char yamllint limit. Moving it to SOURCES_INSTRUCTION in the step env block (where the expression is still valid) and referencing $SOURCES_INSTRUCTION in the prompt string brings all lines under 200 chars. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The format() expression with backtick literals inside a GHA expression caused a YAML mapping-value syntax error at parse time. Replaced with a plain env var SOURCES_FILE_PATH + shell-style conditional in the prompt text — no GHA expressions inside the multiline prompt string, fully YAML-safe and under the 200-char line limit. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds the Feature Research & Ideation workflow to the .github repo itself, making it a BMAD-enabled consumer of its own reusable pipeline. Key configuration: - project_context: org-level DevX/tooling repo (CI standards, reusable workflows, BMAD framework, agent security) - sources_file: 'standards/feature-ideation-sources.md' — the template lives right here, so no copy needed - dry_run defaults to false (use workflow_dispatch input to enable) - actions: read permission for feed checkpoint Note: uses: SHA points to current v1. After this PR merges, bump the v1 tag to the new merge commit and update the SHA here. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
standards/feature-ideation-sources.md— an org-curated, PR-reviewed list of reputable web pages, RSS/Atom feeds, podcasts, and YouTube channels that the BMAD Analyst (Mary) consults during Phase 2: Market Research of the feature-ideation pipeline. Sources are organised into 9 categories (AI/ML labs, AI research, dev tooling/changelogs, security, eng practice/industry analysis, newsletters, podcasts, YouTube, conferences) with a one-line justification for every entry..github/workflows/feature-ideation-reusable.yml: a newactions/checkoutstep pullspetry-projects/.github@v1into.petry-standards/on the runner (public repo, defaultGITHUB_TOKENis sufficient), and the Phase 2 prompt is updated to instruct Mary to read the source list first, prefer listed RSS feeds over open web search, and only fall back to open search for uncovered threads. Phase 8's step-summary template gains an optional "Suggested Additions to Reputable Source List" section so high-value sources that keep recurring during runs surface for human review.standards/ci-standards.md§8 as the third component of the feature-ideation system, alongside the reusable workflow and the caller stub.Why
Without a curated seed list, Mary's Phase 2 research starts cold every week and re-discovers the same primary sources via open search — wasting turns on Opus 4.6 (~$2-3/run today) and occasionally citing weaker secondary sources when SEO results crowd out the primary ones. A versioned, PR-reviewed list:
standards/workflows/*andci-standards.mdalready work.The list is explicitly a floor, not a ceiling: Mary still follows threads to other reputable sources when warranted, and the new step-summary section gives a feedback loop for adding them via PR.
Test plan
feature-ideation.ymlon a BMAD adopter (TalkTerm) viaworkflow_dispatchand confirm the run logs show the new "Checkout central standards" step succeeding.Readof.petry-standards/standards/feature-ideation-sources.mdearly in Phase 2.gh repo view petry-projects/.githubis still public — if it ever flips to private, the checkout step will need a PAT.🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Chores
Documentation
Tests